Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Ratings Algorithm Update – July 10, 2025

Ingrid

The ratings algorithm has been updated!

Changes to the ratings algorithm from the 2025 Ratings Algorithm Update (RAU):

Web Application Risk Vectors

Web Application Security is now rating-impacting, replacing the 5% weight of Web Application Headers in the overall rating. No other risk vector weights were changed. The Web Application Headers risk vector will be available as an informational risk vector until it is eventually deprecated.

See the migration plan and adjustments to the possible finding grades and weights of assessments.

Time Period Decrease on Findings with Insufficient Data or No Data

If the only finding for a risk vector expires (no more data), that finding is currently used for up to 400 days past the finding expiration date. With RAU25, we changed that time period to 340 days to ensure that those findings are always visible to users.

Rating Drop Prevention

Rating drops for certain risk vectors are prevented if there are no negative findings.

Small possibilities that the scoring curve changes, creating rating drops in the absence of negative findings, are removed. This is so the risk vector grade cannot drop if there’s only positive finding grades (for TLS/SSL Certificates, TLS/SSL Configurations, and Open Ports).

Clarifying the Path to Perfect Risk Vector Grades

The relationship between the total number of findings and the risk vector grade is determined by a curve relative to the number of findings that other similar entities have. Companies that do not have negative findings are assigned a raw risk vector score depending on the total number of findings. This in turn corresponds with letter grade. The changes (as outlined below) are constrained to the raw score range equivalent to an A.

For the Open Ports, TLS/SSL Certificates, TLS/SSL Configurations, and Server Software risk vectors, the raw risk vector score are explicitly linked to the number of findings:

  • <10 Findings = 800 Raw Risk Vector Score
  • Between ≥10 and <50 Findings = 810 Raw Risk Vector Score
  • Findings ≥50 = 820 Raw Risk Vector Score

This makes understanding how to achieve the best letter grade more straightforward.

Was this article helpful?
8 out of 18 found this helpful
Return to top

Related articles

Feedback

0 comments

Please sign in to leave a comment.